One Article Review
| Source |  CVE Liste |
|---|---|
| Identifiant | 8318939 |
| Date de publication | 2023-03-15 21:15:08 (vue: 2023-03-15 23:07:47) |
| Titre | CVE-2023-26484 |
| Texte | KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node. |
| Envoyé | Oui |
| Condensat | 2023 26484 `virt access account add all appear are available beyond block can cluster components compromise compromised could critical cve daemon elevate exec exploit full gatekeeper handler handler` has having high instance its kubernetes kubevirt level lure machine malicious management misused modify node nodes once other over patches pods potentially prior privileged privileges publication read running secrets service set simplest simply spec specific specs system taken time unschedulable until used user users versions virt virtual wait way webhook where which whole will workaround |
| Tags | |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.